Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5575
Views
0
Helpful
1
Replies

How do I block pings from the outside to the ASA 5505 outside interface?

tdennehy
Level 1
Level 1

‎05-02-2013 05:03 PM - edited ‎07-04-2021 12:01 AM

I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall.  I found a post that said to enter "icmp deny any outside", however that does not do it.

I created an ACL to try and do the trick, also to no avail:

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in in interface outside

access-group outside_in in interface outside

Anyone have a clue what I'm doing wrong?  I'm not the firewall guy as you can tell. 

Thanks in advance...

Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface

Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.

ASA5505(config)#icmp deny any outside

You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

1 person had this problem
Labels:
0 Helpful
1 Reply 1

ericgarnel
Level 7
Level 7

‎05-07-2013 09:54 AM

You are allowing echo-reply, thus it will reply to a ping

try this ACL:

icmp deny any echo-reply outside

From: 

https://supportforums.cisco.com/thread/223769

Eric

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card